In March 2012, Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services (the “Revised Policy”). The French data protection authority, Commission Nationale de l’information et des Liberties (“CNIL”), was appointed on behalf of the Article 29 Working Party to assess the Revised Policy's compliance with EU data protection laws.
CNIL published its findings on 16 October 2013 and concluded that Google’s revised policy did not comply with the EU Data Protection Directive. CNIL asked Google to implement its recommendations within four months, however Google failed to do so to the satisfaction of CNIL. CNIL consequently made Google aware that enforcement actions by other EU data protection authorities were possible.
Several other data protection authorities including those in the UK, France, Germany, Italy, Spain and the Netherlands have now considered (or are in the process of considering) whether the Revised Policy is compliant with the data protection laws of their respective countries.
The ICO has informed Google that the Revised Policy falls short of the requirements imposed by the DPA, drawing attention to the fact that the Revised Policy is not informative enough to allow users to understand how their data will be used across all of Google's products. The ICO has the power to serve organisations with a monetary penalty of up to £500,000 for a serious breach of their DPA obligations and has warned Google that if it does not amended the Revised Policy to ensure compliance with the DPA by 20 September 2013, Google will risk enforcement action.
Link to ICO press release: http://www.ico.org.uk/news/latest_news/2013/ico-update-on-google-privacy-policy-04072013